Announcement

Collapse
No announcement yet.

X.Org's Indirect GLX State Is Frightening Researchers

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #21
    Originally posted by schmidtbag View Post
    I really don't get it. Xorg is supposedly littered with security problems and has been for over 20 years. I have never heard of a case where risks like these have actually been exploited in real-world scenarios. That isn't to say it never happened or can't, but it's definitely rare enough to not be a concern. Also, if security is what we're after, this attention should be devoted to Wayland. Xorg should just simply be maintained at this point. In my opinion, stuff like this should be kept around, assuming Wayland will never get it's hands on it.
    This doesn't make sense for me as well. Why the f didn't they just leave it as is and maintain it. They are working on tech that is for the last 10years terribly outdated and alternative exists.

    But I guess oss projects actually don't have issue with lack of people, they are just doing stupid stuff for stupid reasons.
    Same is with packaging for n distributions. This whole mess doesn't make sense.

    Comment


    • #22
      Originally posted by karolherbst View Post
      you are aware, that any application can record your entire screen the entire time?
      Originally posted by schmidtbag View Post
      Yes, and I don't care. Are you aware of how many people actually take advantage of this?
      I take advantage of it: each time I need a screenshot of my desktop. !!! I know it as feature, not a bug !

      I fear more a "malicious" process could ptrace(2) my firefox than a malicious process is able to record my screen.

      Quite frankly, this for me the fact that an application might record my screen is not a problem because my applications are the ones packaged by my distro. And I trust my distro. So I am quite confidently that I am "secure".
      However in a world doomed by the "market" model (like google play or docker) where the potentially installable applications are less checked, the sources aren't available each time and there no is a "community" of developers to check continuously the sources, I would not be so confident. But in this case my solution is to not "trust" the "market model" and to switch to another model.

      Comment


      • #23
        Originally posted by kreijack View Post


        I take advantage of it: each time I need a screenshot of my desktop. !!! I know it as feature, not a bug !

        I fear more a "malicious" process could ptrace(2) my firefox than a malicious process is able to record my screen.

        Quite frankly, this for me the fact that an application might record my screen is not a problem because my applications are the ones packaged by my distro. And I trust my distro. So I am quite confidently that I am "secure".
        However in a world doomed by the "market" model (like google play or docker) where the potentially installable applications are less checked, the sources aren't available each time and there no is a "community" of developers to check continuously the sources, I would not be so confident. But in this case my solution is to not "trust" the "market model" and to switch to another model.

        well this is true as long as you are sure that your browser is secure enough. Being smart enough you might be able to write maleware, which executes stuff directly in your browser. And High data transfers are usually not unusual in browsers

        Comment


        • #24
          Originally posted by karolherbst View Post
          well you wanted to hear about security issues and now you don't care :/ Troll somewhere else please.
          First of all, I meant I don't care if applications can record what I'm doing. Second, I wanted solid proof that there are attacks exploiting these vulnerabilities. I don't care what can be done, I care about what has actually been done successfully for malicious intent.

          Comment


          • #25
            Originally posted by schmidtbag View Post
            ... companies like MS would use this info as leverage against Linux (or one of the BSDs), ...
            Aren't the BSDs using X too?

            Comment


            • #26
              Originally posted by schmidtbag View Post
              First of all, I meant I don't care if applications can record what I'm doing. Second, I wanted solid proof that there are attacks exploiting these vulnerabilities. I don't care what can be done, I care about what has actually been done successfully for malicious intent.
              first, then why are you annoying people, if you don't care go living your life in peace.

              second, afaik linux malware targets mostly servers for a bunch of very solid reasons, but even then it's very difficult to get any kind of data. Hell, it's hard even on Windows.

              But this does not mean we should run with doors open and count on the fact that none will care about targeting Linux, that's just stupid.

              Comment


              • #27
                Originally posted by starshipeleven View Post
                first, then why are you annoying people, if you don't care go living your life in peace.
                I seem to only be annoying people who disagree. And for the record (not just targeting you here) just because you don't agree with someone, that doesn't make them a troll. If I said "you're an idiot", you are likely going to respond to defend yourself, would you not? I was stating that I don't understand how this is enough of a security risk and if it was so bad, why it's being done now and not years ago. How is that so hard to understand? All I'm looking for is evidence that this is actually a problem and not just a hypothetical or theoretical issue.
                What I care about are features being taken away for unrealistic reasons. I personally don't need IGLX, but I know there are people who do.

                second, afaik linux malware targets mostly servers for a bunch of very solid reasons, but even then it's very difficult to get any kind of data. Hell, it's hard even on Windows.
                Exactly, and how many Linux servers do you know of that run X? Of those servers, how many get hacked? Of the servers that got hacked, how many were because of IGLX, or X in general? If IGLX was so inherently insecure and flawed, it would be abused much more readily.

                But this does not mean we should run with doors open and count on the fact that none will care about targeting Linux, that's just stupid.
                And as I've been trying to explain, the doors are located on the 50th floor leading directly outside with no balcony. The doors exist, but they're mostly useless. Sure, someone with enough determination would try getting through them. But you'd probably find out before they reach the 50th floor, and it means you've got other security issues to be worrying about.
                Last edited by schmidtbag; 29 May 2016, 11:14 AM.

                Comment


                • #28
                  Originally posted by schmidtbag View Post
                  I seem to only be annoying people who disagree.
                  No, you are annoying because you don't seem to understand what me and everyone else already told you multiple times (that can also be called "The Truth").
                  Security matters are very opaque, even on windows where there is much more interest it's impossible to get any kind of real numbers beyond some stuff graciously published by security consultants as a mean to gather some easy recognition.

                  Exactly, and how many Linux servers do you know of that run X?
                  None, they don't need X because it's a server. Windows usually has servers with GUIs, Linux, much less.

                  This does not mean that PCs that use X are fine tho.

                  If IGLX was so inherently insecure and flawed, it would be abused much more readily.
                  Um, you're disregarding a very important thing. The motive. Most modern malware is written to make money, not to cause disruption like back then. The usual market calculations that apply on commerical software also apply on malware.

                  As I said in other threads, Linux desktop in its current state would get horribly raped if it was on a significant amount of PCs, it's main saving grace is that none is giving a flying fuck about a platform where the marketshare is less than 1% when they could target Windows instead.
                  Hell, even OSX isn't terribly interesting for malware, go figure Linux Desktop.

                  The "linux" that is on a billion devices (Android) is LOCKED DOWN in any place, does not use Xorg, keeps sandboxed apps, is fragmented as each firmware isn't exactly the same OS due to OEM customizations and toolchains, and this allows it to survive decently in the wild without succumbing like Windows would.

                  The doors exist, but they're mostly useless.
                  Dunno, the ability to snoop my other applications and keylog me from a single compromised application isn't something I'd call "mostly useless".

                  If I wanted that level of "security" I'd be using all-snooping-Win10.

                  Sure, someone with enough determination would try getting through them. But you'd probably find out before they reach the 50th floor, and it means you've got other security issues to be worrying about.
                  Windows malware already relies on multiple vulnerabilities to get in and compromise a system. It's not easy to make modern malware. That's why script kiddies have dropped out.
                  Last edited by starshipeleven; 29 May 2016, 11:56 AM.

                  Comment


                  • #29
                    I always thought remote OpenGL acceleration was one of the cooler things about X. It surprised me, the first time I actually stumbled across it.

                    That said, a lot of programs don't work with it, since they use things like DRI.

                    Comment


                    • #30
                      Originally posted by coder View Post
                      I always thought remote OpenGL acceleration was one of the cooler things about X. It surprised me, the first time I actually stumbled across it.

                      That said, a lot of programs don't work with it, since they use things like DRI.
                      Heh, yeah. Even so far that if you had Wine behaving bad, one of the first things used to be looking for traces of AIGLX since it showing is a sign of broken desktop setup

                      Comment

                      Working...
                      X